What to do when you receive an employee DSAR (UK guide)

A practical step-by-step guide for UK employers responding to a Data Subject Access Request from a current or former employee.

Includes how to search file shares, identify relevant data, and prepare a response.

If you’ve just received a DSAR from a current or former employee, you now have a limited time to respond and may need to locate personal data across multiple systems. This guide explains the key steps involved in responding to an employee DSAR in the UK, including how to identify where data may exist, how to review it, and how to prepare a response. It is designed for HR teams, data protection officers and IT staff dealing with a DSAR for the first time or without dedicated DSAR software.

What is an employee DSAR?

A Data Subject Access Request (DSAR) is a request made by an individual asking for access to personal data held about them. In an employment context, this typically includes current or former employees requesting access to documents, emails and other records relating to them. Employers must respond within the required timeframe and provide copies of relevant personal data, subject to certain exemptions.

What are the key steps in responding to a DSAR?

Responding to a DSAR usually involves several practical steps: • Identifying where personal data may exist • Searching systems and document stores • Reviewing documents to determine relevance • Redacting third-party or sensitive information • Preparing a structured response The complexity depends on how long the individual was employed and how much data exists across your organisation.

What is the deadline for responding to a DSAR?

In most cases, organisations must respond to a DSAR within one month of receiving the request. The time limit can sometimes be extended by up to a further two months if the request is complex or involves a large volume of information. However, this is not automatic. You must assess whether an extension is justified and inform the individual within the initial one-month period if you intend to extend the deadline. For organisations handling a DSAR for the first time, it is often unclear whether an extension applies and how this should be communicated.

If you are unsure about your deadline or whether an extension may be appropriate, you can include this in the triage and we can help you understand the practical options.

In practice, many organisations substantially underestimate how long it takes to locate and review all relevant documents.

Where should you search for employee data?

Relevant data may exist across a range of systems and locations, including: • Windows file shares and network drives • Local folders and archived files • PST files and exported email data • Documents stored in shared folders • HR-related documents saved outside formal systems • Sometimes in Sales/CRM, Accounting, and other in-house systems In many organisations, these are not centrally organised, making it difficult to locate all relevant information manually.

What types of documents are involved?

Employee data is often contained within common business document formats, including: • Word documents (.doc, .docx) • PDFs • Excel spreadsheets • PowerPoint presentations • Email files (.msg, .eml) • TXT, CSV • CAD Searching across these formats requires tools that can inspect file contents, not just file names.

Why DSARs can be difficult to manage

DSARs can quickly become time-consuming, particularly where documents are spread across multiple locations. Challenges include: • Large volumes of documents • Conventional search methods may not work for many common file types • Identifying which files are actually relevant • Avoiding disclosure of third-party information (e.g. that of other employees) • Knowing where sensitive information is present and avoiding disclosure of such information • Applying consistent redactions • Preparing a response in an acceptable format, that can be justified if challenged For small or mid-sized organisations, these tasks are often handled manually, which increases risk and effort.

How DSAR.UK can help

DSAR.UK provides tools designed specifically for employee DSARs. You can: • Use free local search tools to scan file shares, folders and PST files • Identify documents that may contain relevant personal data • Process documents using optional pay-as-you-go classification and redaction tools • Prepare structured response bundles for disclosure Pratical for small or high volumes as needed. The search tools run locally, so your data remains under your control.